TenantAtlas/specs/114-system-console-control-tower/data-model.md

Phase 1 — Data Model (Spec 114: System Console Control Tower)

This feature is primarily read-only UI over existing platform/ops metadata.

Entities (existing)

Workspace (workspaces)

• Purpose: group tenants; scope boundary for tenant plane.
• Relevant fields: id, name, slug, timestamps.
• Relationships:
  • Workspace::tenants()
  • Workspace::memberships()

Tenant (tenants)

• Purpose: customer tenant inventory + onboarding/health metadata.
• Relevant fields (high level):
  • id, external_id, name, workspace_id, status, environment
  • RBAC signals: rbac_last_checked_at, rbac_last_setup_at, rbac_canary_results, rbac_last_warnings
  • metadata (array)
• Relationships:
  • Tenant::providerConnections() → provider_connections
  • Tenant::permissions() → tenant_permissions
  • Tenant::auditLogs() → audit_logs

ProviderConnection (provider_connections)

• Purpose: connectivity + health-check metadata for external provider.
• Relevant fields: provider, is_default, scopes_granted, last_health_check_at, metadata.

TenantPermission (tenant_permissions)

• Purpose: cached/recorded permission checks.
• Relevant fields: key (permission name), status, details, last_checked_at.

OperationRun (operation_runs)

• Purpose: canonical operations observability record (non-negotiable per constitution).
• Relevant fields:
  • identity/scope: workspace_id (NOT NULL), tenant_id (nullable), user_id (nullable), initiator_name
  • lifecycle: type, status (queued|running|completed), outcome (pending|succeeded|failed|canceled|…)
  • audit UX: summary_counts (numeric-only keys), failure_summary (sanitized bounded array), context (sanitized/limited)
  • timing: created_at, started_at, completed_at

AuditLog (audit_logs)

• Purpose: security/audit trail.
• Relevant fields: workspace_id, tenant_id (nullable), actor_*, action, status, metadata (sanitized), recorded_at.
• System console relevant actions (already emitted):
  • platform.auth.login
  • platform.break_glass.enter|exit|expired

Derived/Computed concepts (new, no new table)

Time window

• Enumerated: 1h, 24h (default), 7d.
• Used for Control Tower and for failures/stuck scoping.

“Stuck” run classification

• Definition: a run is “stuck” when:
  • status=queued and created_at <= now() - queued_threshold_minutes AND started_at IS NULL, OR
  • status=running and started_at <= now() - running_threshold_minutes
• Thresholds are configurable (v1):
  • system_console.stuck_thresholds.queued_minutes
  • system_console.stuck_thresholds.running_minutes

Tenant/workspace health badge

• “Worst wins” aggregation over signals:
  • Tenant status (active/onboarding/archived)
  • Provider connection health/status
  • Permission status
  • Recent failed/stuck runs within the time window
• Display-only; does not mutate state.

Validation rules

• Any operator-provided reason/note (break-glass, mark investigated): min length 5, max length 500.
• Filters: only allow known enum values (time window, run status/outcome).

Storage/indexing plan (Phase 2 tasks will implement)

• operation_runs:
  • Indexes to support windowed queries and grouping:
    • (workspace_id, created_at)
    • (tenant_id, created_at)
    • optional: (status, outcome, created_at) and (type, created_at) depending on explain plans
• audit_logs:
  • (action, recorded_at) and (actor_id, recorded_at) for Access Logs filters

Notes on data minimization

• Use RunFailureSanitizer + SummaryCountsNormalizer contracts.
• Avoid rendering raw context by default; when displayed, cap size and redact sensitive keys.